Cryptocat -vs- PGP (https://crypto.cat/)
Александр
afalex169 at gmail.com
Thu Jan 5 09:13:04 PST 2017
An Open Letter to The New York Times
December 17, 2016
Dear *The New York Times* newsroom and information security staff,
On December 15, 2016, nytimes.com published a new tips page
<https://www.nytimes.com/newsgraphics/2016/news-tips/> that offers
individuals who want to blow the whistle on newsworthy issues ways to do so
without risking their security and privacy. There is no question that this
commendable decision, taken by a newspaper of record, is a significant
asset towards a more effective free press.
*The New York Times* makes itself available to tipsters via cutting-edge
privacy technologies such as *SecureDrop* <https://securedrop.org> and
*Signal* <https://whispersystems.org>. *SecureDrop* has been deployed in
many of the world's most important newsrooms and has almost certainly aided
in the publication of the most ethically significant leaks of this decade.
*Signal*'s parent company, *Open Whisper Systems*, has indirectly allowed
more than a billion people access to indisputably strong encryption.
Cryptocat's own development was strongly influenced, and has influenced,
these tools: we adopted a variant of *Signal*'s encryption protocol in
March 2016, which was clearly superior to our own, and our early research
on client-side web encryption in 2011 set the stage for *SecureDrop* and
*Mailvelope* (another recommended tool) to follow in using similar
engineering fundamentals, oftentimes by learning through our own early
engineering mistakes and thereby avoiding them.
Cryptocat was also funded by the same primary backer as *SecureDrop*,
*Signal* and *Mailvelope*: the *Open Technology Fund*
<https://www.opentech.fund>, an institution financed by public U.S.
taxpayer dollars which supports independent efforts towards a more secure
and private Internet. As a side-note, Cryptocat was even featured
<http://www.nytimes.com/2012/04/18/nyregion/nadim-kobeissi-creator-of-a-secure-chat-program-has-freedom-in-mind.html>
in a *The New York Times* article back when it (and myself) were quite
young and starting up.
Cryptocat does not offer the services of either *Signal* or *SecureDrop*:
it does not run on mobile devices and its user experience is not directly
focused on the anonymous leaking of documents. Cryptocat is desktop
software that offers a service similar to *Google Talk* or *Yahoo Messenger*:
desktop chat with the ability to send large files, video messages, and
offline messages. Unlike those services, Cryptocat couples these features
with strong encryption, support for multiple devices and advanced security
features <https://crypto.cat/security.html> such as certificate pinning,
forward secrecy and future secrecy. When you use Cryptocat, the aim is that
we cannot ever decipher the messages and files you communicate.
However, *The New York Times*'s tips page also recommends a third tool,
*PGP* <http://openpgp.org/>, implemented through the *Mailvelope* browser
extension, which allows users to send encrypted emails to *The New York
Times*.
The goal is of letter is to petition for Cryptocat's inclusion instead of
*PGP*. *PGP* does not offer a standard of security that merits its
inclusion, while Cryptocat does provide a clearly higher standard of
security and privacy than *PGP* when used under the same use-case. Here is
the reasoning behind this claim:
Cryptocat vs. PGP: On History
It is best to start with the obvious: in the case that Cryptocat was ever
considered by *The New York Times* for their tips page, it was likely
almost immediately dismissed due to its history of critical vulnerabilities
in different
<http://arstechnica.com/security/2013/07/bad-kitty-rooky-mistake-in-cryptocat-chat-app-makes-cracking-a-snap/>
aspects
<https://nakedsecurity.sophos.com/2013/07/09/anatomy-of-a-pseudorandom-number-generator-visualising-cryptocats-buggy-prng/>
of its engineering during its early development. In 2012 and 2013,
Cryptocat fell to regrettable lapses in engineering practices that led to a
well-deserved weakening of its reputation. Cryptocat clearly failed its
users on multiple occasions, and for the past three years, I have been
deeply sorry and regretful for these mistakes and I have dedicated all the
effort that is within my capacity to mitigating them and preventing them in
the future.
Nevertheless, every time these vulnerabilities were reported, Cryptocat
responded with full disclosure, immediately issuing security updates and
publicly thanking and crediting the security researchers responsible for
their discovery.
*PGP*, on the other hand, is a well-studied protocol, owing largely to its
initial release in 1991, a clean two decades before Cryptocat's inception.
The *PGP* protocol's maturity notwithstanding, it should be noted that
*Mailvelope* is actually younger than Cryptocat and still uses some of the
engineering practices that Cryptocat was often criticized for, such as
working inside the web browser and even going further than Cryptocat ever
did, by injecting code into web pages that it does not control. Cryptocat
recognized these engineering practices as fundamentally unsafe and
completely moved away from them in its rewrite this year as a pure desktop
application.
The truth is that since its complete rewrite in March 2016, Cryptocat has
simply adopted engineering fundamentals that are known to be undoubtedly
safer than those used by *Mailvelope*, and has been able to integrate
encryption technologies that the ossified *PGP* protocol cannot hope to
accomplish. Furthermore, Cryptocat's new rewrite as a desktop application
was undergone during my graduate studies, in an environment where I had the
resources to produce dependable software. Cryptocat's rewrite was in fact
largely informed by the research I participated in for an upcoming academic
publication (*Automated Verification for Secure Messaging Protocols and
their Implementations: A Symbolic and Computational Approach*) that studies
secure messaging in detail.
This is a stark difference from the first Cryptocat, which was developed as
one of my very first programming projects when I was twenty years old.
Judging the new Cryptocat desktop application on the basis of the older
Cryptocat browser extension is as legitimate as judging a *Boeing 747* on
the basis of the performance of the Wright Brothers' first functioning
aeroplane. This sort of comparison must not be the benchmark with which
security software is evaluated.
It is true that *PGP* remains more aged than Cryptocat. But we are not in
the business of fine wine here; *Signal*, *SecureDrop* and any other tool
worth using is not only younger than *PGP* but younger than Cryptocat
itself. We should judge based on engineering merit, not on age. And when
past reputation is concerned, I believe that Cryptocat has honestly done
the work to obtain full merit for its excellence in moving past its early
blunders into dependable software.
Cryptocat vs. PGP: On Cryptographic Security
In *PGP*, all emails ever sent by a tipster are encrypted with one single
private key, which is kept indefinitely on the user's computer. This
private key can only be changed or reset via a manual and relatively
obscure process. Whenever this is done, the user's new public key must be
communicated manually to all of its contacts. If this single private key is
ever compromised, all of that user's prior communications, emails and
attachments are forever compromised. If a user wants to use their same *PGP*
identity on multiple devices, the compromise of one device compromises all
of their past communications from all of their devices. In *"What's the
Matter with PGP?"*
<https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/>,
Matthew Green writes:
“For all the good *PGP* has done in the past, it’s a model of email
encryption that’s fundamentally broken. It’s time for *PGP* to die. [...] A
*PGP* critic is just a *PGP* user who’s actually used the software for a
while. At this point so much potential in this area and so many
opportunities to do better. It’s time for us to adopt those ideas and stop
looking backwards.”
Cryptocat is cryptographically superior to *PGP* in almost every respect:
- *No Long-Term Encryption Key*: By basing its cryptography on the
innovative *Double Ratchet*
<https://whispersystems.org/docs/specifications/doubleratchet/>
algorithm, Cryptocat's chat encryption <https://crypto.cat/security.html>
generates a fresh encryption key for every message. The theft of a device
therefore only compromises the last small handful of messages, and only
allows the user to impersonate the victim's device until that key is
disassociated from the user's account.
- *Forward and Future Secrecy*: If, at any point, the state of the
encryption keys for a conversation is compromised, the conversation's
security will *self-heal* with fresh key material, preventing the
compromise of any past or future messages.
- *Multi-Device Support*: Cryptocat supports linking multiple devices to
a user's account through its implementation of the OMEMO
<https://conversations.im/omemo/> standard. Cryptocat extends this to
allow recipients to authenticate contacts on a per-device basis and to see
which device was used to send a particular message. If a device's identity
keys are stolen, only that device may be impersonated, and the owner may
unlink it from their Cryptocat account using any other device.
To be clear, no one is claiming that Cryptocat is invincible. But all
empirical analysis of the current cryptographic protocol indicates that it
stands a better chance than *PGP* in terms of surviving a compromise or an
active attacker.
Cryptocat vs. PGP: On Metadata
Let's assume a scenario in which someone is listening on the tipster's
Internet connection. If the tipster uses PGP, the following information
will be leaked:
- *Email Address*: The tipster will need to sign up for an email
account. This is more likely than not to be a semi-permanent indentifer,
since obtaining an email account without some kind of SMS verification is
becoming increasingly restricted by major providers such as Gmail and
Microsoft. The email service provider will then log IP addresses used to
log into that email, which email addresses sent tips to a *The New York
Times* email address, and more. If the tipster uses their regular email
address, they are almost certainly in trouble.
- *Key Metadata*: *PGP* keys carry a significant amount of metadata,
including the *PGP* version used to encrypt the message, the date the
key was created, and much more. In order to correctly authenticate a
*PGP* key, more identifying information might have to exist in order to
convincingly correlate a key to an owner.
With Cryptocat, users can create <https://crypto.cat/create> random,
one-time-use usernames without needing to provide a phone number or email
address, or anything really. The only metadata the Cryptocat server sees is
that a random username was used to send a message to *The New York Times*'s
account. The Cryptocat server does not retain any other information,
including account creation time, IP addresses used to login, or anything
else. Someone spying on the tipster's network will only be able to see that
the tipster at some point used Cryptocat, but cannot identify which
username the tipster used, or with whom the tipster communicated. Once the
tip is communicated, Cryptocat users may choose to delete their account
<https://crypto.cat/help.html#deleteAccount>, which completely erases any
trace of the account on Cryptocat's servers.
Once again, the hard, concrete facts indicate that Cryptocat is superior to
*PGP* in terms of metadata. However, it should still be noted that
Cryptocat, *PGP* and the other softare recommended by *The New York Times*
still leak substantially more metadata than *SecureDrop*: tipsters with a
strong metadata-related concern should consider using *SecureDrop* instead.
Cryptocat vs. PGP: On Usability
*PGP* is notorious for how painful it is to use. Cryptographers almost
unanimously consider its usability to be the source of mistakes that can
jeopardize user security within the first email they attempt to send. Aside
from Matthew Green's above-quoted post on *PGP*, *Signal*'s original
programmer also had this <https://moxie.org/blog/gpg-and-me/> to say:
When I receive a *PGP* encrypted email from a stranger, though, I
immediately get the feeling that I don’t want to read it. [...] *PGP* is a
technology dead end [...] In the 1990s, I was excited about the future, and
I dreamed of a world where everyone would install *PGP*. Now I’m still
excited about the future, but I dream of a world where I can uninstall it.
When using *PGP*, users must manually set up email clients and *PGP*
plugins, all of varying degrees of quality and dependability. They must
sign up with an email provider that might not respect their rights to
privacy. They must manually generate *PGP* key pairs and communicate them
to their third party, or upload them to a "key server" for out-of-band
authentication. Finally, they must manually download and import the
recipient's public key.
In comparison, using Cryptocat involves downloading the client, signing up,
registering your device, adding your recipient as a buddy and sending a
message (after optionally verifying their device list via a friendly user
interface). Unlike *PGP*, the workflow is almost exactly similar to that of
popular applications such as *Skype*, therefore, there is crucially less
room for the user to make a mistake.
Aside from having less room for failure, Cryptocat also simply offers more
features: support for multiple devices, each with a separate identity.
Online and offline messaging. File sharing with file sizes of up to 200MB,
which is far beyond what email attachments allow. And while this might be
less useful for tipsters, Cryptocat also allows users to record video
messages right from within their chat window.
Cryptocat: Not Perfect but the Clear Better Choice
All software will have bugs. No solution is bulletproof. All of the tools
currently mentioned on the tips page of *The New York Times* has had
vulnerabilities of varying severity, and security updates are, therefore, a
fact of life for any software that we use and that matters.
However, when we dare to discern, when we judge based on fact and science,
we can clearly understand that Cryptocat is a better choice than *PGP*. In
line with the Cryptocat Mission Statement <https://crypto.cat/mission.html>,
Cryptocat will strive to be dependable software that deserves to be the
conduit between some of the world's best journalists and stories that might
change our lives. I ask the staff at *The New York Times*, with the most
sincere good faith and the most serious intent to replace *PGP* with
Cryptocat. Over its six years of development, it has matured into
dependable software. It is the better choice.
* Signed, Nadim Kobeissi <https://nadim.computer> Cryptocat software
programmer https://crypto.cat/news.html#nytltr
<https://crypto.cat/news.html#nytltr>*
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 17500 bytes
Desc: not available
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20170105/000d9e23/attachment.txt>
More information about the cypherpunks
mailing list